Netatalk Security Advisory
| Subject | Dead bounds check in Spotlight RPC unmarshaller |
|---|---|
| CVE ID# | CVE-2026-44057 |
| Severity | None |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 3.0.0 - 4.4.2 |
| Summary | A bounds check on an unsigned value in the Spotlight RPC unmarshaller is dead code and therefore never executes |
Description
A Spotlight RPC bounds check contains dead defensive logic. The Netatalk team does not consider this issue independently exploitable; its significance is as a defense-in-depth weakness related to broader Spotlight unmarshalling hardening.
Patch Availability
Apply CVE-2026-44057,CVE-2026-44066.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
While the issue at hand has low practical exploitability, the patch also addresses the related independently exploitable issue in CVE-2026-44066, so applying it may be worthwhile for defense-in-depth even if CVE-2026-44057 itself is not a concern.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N (0.0)
This score reflects that the defect has no independent exploitable impact. The attack complexity and authentication requirement are included for completeness given the network-reachable code path.
Workaround
Least concern.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
- GHSA-v8pq-cg4v-xg5q
- CVE-2026-44066 — related independently exploitable issue in the same code
Go back to the Security Policy.
